The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.
The vulnerability results from the lack of an authentication mechanism (CWE-306 — Missing Authentication for Critical Function) in the administrative web interface of the application. An attacker remotely, without any credentials, can gain direct access to the administrative functions of the system. No user interaction or special network conditions are required — network access to the interface is sufficient.
An attacker can read sensitive system information and upload arbitrary files to the server without knowing the password, which may lead to complete takeover of the SCADA system and pose a threat to industrial infrastructure.
Patches available from the manufacturer should be applied according to the references. Update available at the manufacturer's address: https://www.myscada.org/downloads/mySCADAPROManager/. Until the patch is implemented, it is recommended to restrict network access to the administrative interface only to trusted IP addresses and isolate the system from public networks using a firewall.
mySCADA myPRO Manager product — versions specified in the manufacturer's references and in the CISA ICS-CERT advisory (ICSA-25-044-16)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XMyscada Mypro
APPMyscada< 1.4
Related vulnerabilities
mySCADA myPRO Manager — przechowywanie poświadczeń w postaci jawnej (cleartext)
Command Injection w mySCADA myPRO Manager — zdalne wykonanie poleceń OS
mySCADA myPRO — hardcoded password umożliwiający zdalne wykonanie kodu
An authenticated mySCADA myPRO 8.26.0 user may be able to modify parameters to run commands directly in the op...
mySCADA myPRO: Versions 8.20.0 and prior has a feature to send emails, which may allow an attacker to inject a...